dbxe
/
fusionpbx
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix the login destination alternate path

This commit is contained in:
FusionPBX 2025-02-05 18:10:15 -07:00 committed by GitHub
parent 7f2f0df9b8
commit 76de2bee83
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 22 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
resources/check_auth.php
View File

@ -17,7 +17,7 @@
The Initial Developer of the Original Code is The Initial Developer of the Original Code is
Mark J Crane <markjcrane@fusionpbx.com> Mark J Crane <markjcrane@fusionpbx.com>
Portions created by the Initial Developer are Copyright (C) 2008-2023 Portions created by the Initial Developer are Copyright (C) 2008-2025
the Initial Developer. All Rights Reserved. the Initial Developer. All Rights Reserved.
Contributor(s): Contributor(s):
@ -128,7 +128,6 @@
//if not authorized //if not authorized
if (empty($_SESSION['authorized']) || !$_SESSION['authorized']) { if (empty($_SESSION['authorized']) || !$_SESSION['authorized']) {
//log the failed auth attempt to the system to the syslog server //log the failed auth attempt to the system to the syslog server
openlog('FusionPBX', LOG_NDELAY, LOG_AUTH); openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$result["username"]); syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$result["username"]);
@ -143,21 +142,33 @@
//if logged in, redirect to login destination //if logged in, redirect to login destination
if (!isset($_REQUEST["key"])) { if (!isset($_REQUEST["key"])) {
//create database object
$database = database::new();
//connect to the settings object
$settings = new settings(['database' => $database, 'domain_uuid' => $domain_uuid, 'user_uuid' => $user_uuid]);
//redirect the user
if (isset($_SESSION['redirect_path'])) { if (isset($_SESSION['redirect_path'])) {
$redirect_path = $_SESSION['redirect_path']; $redirect_path = $_SESSION['redirect_path'];
unset($_SESSION['redirect_path']); unset($_SESSION['redirect_path']);
// prevent open redirect attacks. redirect url shouldn't contain a hostname // prevent open redirect attacks. redirect url shouldn't contain a hostname
$parsed_url = parse_url($redirect_path); $parsed_url = parse_url($redirect_path);
if ($parsed_url['host']) { if ($parsed_url['host']) {
die("Was someone trying to hack you?"); die("Was someone trying to hack you?");
} }
header("Location: ".$redirect_path); header("Location: ".$redirect_path);
exit;
} }
elseif (isset($_SESSION['login']['destination']['text'])) { elseif (!empty($settings->get('login', 'destination', ''))) {
header("Location: ".$_SESSION['login']['destination']['text']); header("Location: ".$settings->get('login', 'destination', ''));
exit;
} }
elseif (file_exists($_SERVER["PROJECT_ROOT"]."/core/dashboard/app_config.php")) { elseif (file_exists($_SERVER["PROJECT_ROOT"]."/core/dashboard/app_config.php")) {
header("Location: ".PROJECT_PATH."/core/dashboard/"); header("Location: ".PROJECT_PATH."/core/dashboard/");
exit;
} }
else { else {
require_once "resources/header.php"; require_once "resources/header.php";